CVE-2016-0167, a-dia zero explorar abordada em abril de Patch Tuesday, aparentemente foi alavancado por atacantes, pesquisa FireEye revela. Cyber criminosos têm explorado a vulnerabilidade em ataques direcionados em mais de 100 empresas norte-americanas.
FireEye’s blog post on the matter discloses that threat actors have initiated spear-phishing attacks in March this year. Victims of the campaigns include companies in various industries, such as retail, restaurant, and hospitality.
CVE-2016-0167 Official Description
Q The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 e R2 SP1, janelas 7 SP1, janelas 8.1, Windows Server 2012 Ouro e R2, Windows RT 8.1, e Windows 10 Gold and 1511 permite que usuários locais obtenham privilégios por meio de um aplicativo criado, aka “Win32k Elevation of Privilege Vulnerability,” a different vulnerability than CVE-2016-0143 and CVE-2016-0165.
A Look Into the CVE-2016-0167 Attack
Where was the escalation of privileges vulnerability exactly located? In the win32l Windows Graphics subsystem. “CVE-2016-0167 is a local elevation of privilege vulnerability in the win32k Windows Graphics subsystem. An attacker who had already achieved remote code execution (RCE) could exploit this vulnerability to elevate privileges“, FireEye researchers write.
As for the spear phishing attacks, it’s known that spear phishing emails have been sent out containing malicious Microsoft Word attachments.
Aprender mais sobre Phishing and Its Forms
Upon opening the attachment, embedded macros would execute a downloader identified as Punchbuggy.
What Is Punchbuggy?
It’s a DLL downloader, which has both 32-bit and 64-bit versions. The downloader transfers malicious code through HTTPS. It was employed by the attackers to interact with the targeted systems and “move laterally across victim environments“.
Contudo, the vulnerability exploit didn’t do the dirty job by itself, as it was combined with a point-of-sale memory scraping tool known as Punchtrack. The scenario led to the attack on over 100 empresas norte-americanas, and as a result track 1 e 2 credit card data were stolen from the companies’ PoS systems.
Felizmente, a vulnerabilidade foi corrigida nas atualizações recentes da Microsoft. Contudo, se um sistema não aplicou a correção, ainda pode estar vulnerável. assim, verifique se o Windows está atualizado, e não oferece aos atacantes uma maneira de explorar você e suas finanças.
Have a look at Microsoft’s Latest Patch Tuesday